You dont have javascript enabled! Please enable it!

8 Best Practices for Azure AD Roles

5 Min. Read

Azure Active Directory (Azure AD) lets you target Azure AD groups for role assignments. Assigning roles to groups can simplify the management of role assignments in Azure AD with minimal effort from your Global Administrators and Privileged Role Administrators.

In this article, we will share with you the eight best practices for Azure AD roles assignment.

Introduction

Consider the example where your company has hired people across different countries to manage and reset passwords for employees in its Azure AD organization. Instead of asking a Privileged Role Administrator or Global Administrator to assign the Helpdesk Administrator role to each person individually, they can create a Cloud_Helpdesk_Administrators group and assign the role to the group.

When people join the group, they are assigned the role indirectly. Your existing governance workflow can then take care of the approval process and auditing of the group’s membership to ensure that only legitimate users are members of the group and are thus assigned the Helpdesk Administrator role.

This article describes eight best practices for using Azure Active Directory role-based access control (Azure AD RBAC) and roles assignment.

1) Manage to least privilege

When planning your access control strategy, the first best practice is to manage to least privilege. The least privilege means you grant your administrators exactly the permission they need to do their job.

There are three aspects to consider when you assign a role to your administrators: a specific set of permissions, over a specific scope, for a specific period of time.

You need to avoid assigning broader roles at broader scopes even if it initially seems more convenient to do so. By limiting roles and scopes, you limit what resources are at risk if the security principal is ever compromised. Azure AD RBAC supports over 65 built-in roles.

There are Azure AD roles to manage directory objects like users, groups, and applications, and also to manage Microsoft 365 services like Exchange Online, SharePoint, and Intune.

2) Use Privileged Identity Management

The second best practice is to use Privileged Identity Management (PIM) to grant just-in-time access.

If you do not want members of the group to have “always-on” access to a role, you can use Azure AD Privileged Identity Management (PIM) to make a group eligible for a role assignment. In other words, a user with standing privileges to critical IT resources always has those privileges, regardless of whether that user actually needs access to those resources at this time, or indeed ever.

With Privileged Identity Management (PIM), each member of the group is then eligible to activate the role assignment for a fixed and limited time duration.

One of the principles of least privilege is that access should be granted only for a specific period of time. Azure AD Privileged Identity Management (PIM) lets you grant just-in-time access to your administrators. Microsoft recommends that you enable PIM in Azure AD.

Using PIM, a user can be made an eligible member of an Azure AD role where they can then activate the role for a limited time when needed. Privileged access is automatically removed when the timeframe expires.

You can also configure PIM settings to require approval or receive notification emails when someone activates their role assignment.

The notifications in PIM provide an alert when new users are added to highly privileged roles.

3) Turn on multifactor authentication (MFA)

MFA, MFA, and MFA. Turn on MFA for all your administrator accounts, as well as for all users’ accounts.

Based on various studies, your account is 99.9% less likely to be compromised if you use multifactor authentication (MFA).

You can enable MFA on Azure AD roles using two methods:

4) Configure recurring access reviews

To fourth best practice is to configure recurring access reviews to revoke unneeded permissions over time.

The need for access to privileged Azure resources and Azure AD roles by employees changes over time. To reduce the risk associated with stale role assignments, you should regularly review the access.

Access reviews help you to review administrators’ access regularly to make sure only the right people have continued access.

Regular auditing of your administrators is crucial because of the following reasons:

  • A malicious actor can compromise an account.
  • People move teams within a company. If there’s no auditing, they can amass unnecessary access over time.

For information about access reviews for roles, please check on how to create an access review of Azure AD roles in PIM.

For information about access reviews of groups that are assigned roles, please check on how to create an access review of groups and applications in Azure AD access reviews.

5) Limit the number of Global Administrators

The fifth best practice is to assign the Global Administrator role to fewer than five people in your organization.

Global Administrators hold keys to the kingdom, and it is in your best interest to keep the attack surface low. As stated previously, all of these accounts should be protected with multifactor authentication.

Microsoft recommends that you keep two break glass accounts that are permanently assigned to the Global Administrator role. Make sure that these accounts don’t require the same multifactor authentication mechanism as your normal administrative accounts to sign in, as documented on how to manage emergency access accounts in Azure AD.

Learn more on how to monitor Azure AD emergency accounts (break glass accounts) with Microsoft Sentinel.

6) Use groups for Azure AD role assignments

The sixth best practice is to use groups for Azure AD role assignments and delegate the role assignment.

If you have an external governance system that takes advantage of groups, then you should consider assigning roles to Azure AD groups
instead of individual users. You can also manage role-assignable groups in Privileged Identity Management (PIM) to ensure that there are no standing owners or members in these privileged groups.

To learn more, please check the management capabilities for privileged access Azure AD groups.

You can assign an owner to role-assignable groups. That owner decides who is added to or removed from the group, so indirectly, decides who gets the role assignment. A Global Administrator or Privileged Role Administrator can delegate role management on a per-role basis by using groups.

To learn more, please check on how to use Azure AD groups to manage role assignments.

7) Activate multiple roles at once

In some organizations, an individual has five or six eligible assignments to Azure AD roles through Privileged Identity Management (PIM). In this case, they’ll have to activate each role individually, which can reduce productivity. Worse still, they can also have tens or hundreds of Azure resources assigned to them, which aggravates the problem.

In this case, you should use privileged access groups, by creating a privileged access group and granting it permanent access to multiple roles (Azure AD and/or Azure), then make that user an eligible member or owner of this group. As shown in the diagram below, with just one activation, the eligible member will have access to all the linked resources.

Privileged access groups
Privileged access groups [image credit Microsoft]
To learn more, please check on how to assign eligibility for a privileged access group in Privileged Identity Management (PIM).

8) Use cloud-native accounts

Last but not least, avoid using on-premises synced accounts for Azure AD role assignments with Azure AD Connect and use cloud-native accounts for Azure AD roles. Because if your on-premises account is compromised, it can compromise your Azure AD resources as well.

Summary

In this article, we described the eight best practices for using Azure Active Directory role-based access control (Azure AD RBAC) and roles assignment.

Azure Active Directory (Azure AD) lets you target Azure AD groups for role assignments. Assigning roles to groups can simplify the management of role assignments in Azure AD with minimal effort from your Global Administrators and Privileged Role Administrators.

By following these best practices, you can lower the attack surface for your Azure AD resources, and reduce the risk associated with stale role assignments.

> Make sure to check on how to secure privileged access for hybrid and cloud deployments in Azure AD.

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

Related Posts

Previous

Update Rollup 4 for System Center 2019 is Now Available

Let me know what you think, or ask a question...

error: Alert: The content of this website is copyrighted from being plagiarized! You can copy from the 'Code Blocks' in 'Black' by selecting the Code. Thank You!